Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Jason and Abhishek`s presentation on botnets

advertisement 
Botnets
Abhishek Debchoudhury
Jason Holmes
What is a botnet?
A network of computers running software that
runs autonomously.
In a security context we are interested in botnets
in which the computers have been compromised
and are under the control of a malicious
adversary.
What are botnets used for?
• Spam
o ~85% of email is spam
• DDoS attacks
• Identity theft
o Cost in 2006: $15.6 billion
• Phishing attacks
o 4500 active sites at any given time, 1 million
previously active sites
What are botnets used for?
• Hosting pirated software
• Hosting and distributing malware
• Click fraud
o ~14% of all advertisement clicks are fraudulent
• Packet sniffing
What's a botmaster?
• Person(s) controlling the botnet
o Business person
 Often paid by customers
 Willing to rent out botnet
o Glory Hound
 Brags about size of botnet
 Willing to talk to researchers
o Script kiddies
 Inexperienced
Command Topologies
• Star
o Bots tied to centralized C&C server.
• Multi-Server
o Same as star but with multiple C&C servers
• Hierarchical
o Parent bot control child bots
• Random
o Full P2P support
Topology Tradeoffs
Control vs. Survivability
• More Control
o
Easier to get botnet to do your bidding
o
Easier to shut down
• Survivability
o
Harder to shut down
o
Less control
Communication Methods
• HTTP
o Easy for attacker to blend in
• IRC
o Harder to hide since IRC is much less used than
HTTP
• Custom
o Makes use of new application protocols
Propagation Methods
• Scanning
o 0-day attacks
o Worm-like behavior
• Infected e-mail attachments
• Drive-by-downloads
• Trojan horses
Infection Procedure
History and Notable Botnets
• 1999 - Sub7
• 2000 - GTbot a bot based on mIRC
• 2002 - SDbot small c++ binary with widely available source
code
• 2002 - Agobot staged attacked with modular payload
• 2003 - Sinit first peer-to-peer botnet
• 2004 - Bagle and Bobax first spamming botnets
• 2007 - Storm botnet
• 2009 - Waledac botnet
• 2009 - Zeus botnet
Defense
Three main issues:
1. How to find them
2. Decide how to fight them (defense vs offense)
3. How to negate the threat
Detection: Analyze Network Traffic
• Temporal
o Same repeated traffic pattern from node
• Spatial
o Nodes in same subnet likely infected
Detection: Packet Analysis
• Using statistical analysis on network traffic
flows
• Classify packets based on payload signature
and destination port
o Looking for clusters of similar data packets
o n-gram byte distribution
• IRC botnet traffic it is not very diverse
compared to traffic generated by humans
Strategy
Active: attack the source
• Shut down C&C server
• Re-route DNS
• Pushback
Passive: defend at the target
• Filters
• Human attestation
• Collective defense
Defense - Change DNS routing
Defender figures out domain that attacker is using and takes
control
Pros:
• Central point of attack
• Severs botmaster's ability to communicate with the botnet
Cons:
• Not all bot nets have C&C server
• C&C domain changes often
o > 97% turn over per week
Defense -Black Lists
Defender creates list of attackers.
Used primarily as spam fighting technique
Pros:
• Allows for broad knowledge sharing
• Easy to maintain/understand
Cons:
• List has to be continually updated
• Innocent service providers get blocked
Defense -Human Attestation
Defender requests that client prove his humanity.
• Requires the client to have a trusted attester
o Accomplished through the use of a Trusted
Platform Module
• Several methods for an attester to determine that
the actions were initiated by a human
o Through the use of secure input devices which
cryptographically sign their output
o CAPTCHA or secure prompt
o Analyze keystrokes and mouse movement
Defense - Collective defense
We must all hang together or assuredly we shall all hang
separately.
-- Benjamin Franklin
• Key contentions
o Most end users don't know/care about security
o The best way to secure the internet is through a
collective effort without relying on end users
o Compromised hardware must be quarantined until
healthy
• Authenticate healthiness before network access
o Public Health Model for Internet
• Allow everyone but identify suspicious behavior
o Japan's Cyber Clean Center
o Finnish national Computer Emergency Response Team
Thanks
Related documents
Motivation behind botnets
Motivation behind botnets
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Botnet detection
Botnet detection
Botnets - Information Security Group
Botnets - Information Security Group
A Framework for P2P Botnets Speaker: Chi-Sheng Chen Date:2010/11/16
A Framework for P2P Botnets Speaker: Chi-Sheng Chen Date:2010/11/16
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou
Botnets CAP6135: Malware and Software Vulnerability Analysis Cliff Zou
Botnets CAP6135: Malware and Software Vulnerability Analysis Cliff Zou
BotnetPres
BotnetPres
Botnet Research Survey Speaker: Hom-Jay Hom Date:2009/10/20 Zhaosheng Zhu.et al
Botnet Research Survey Speaker: Hom-Jay Hom Date:2009/10/20 Zhaosheng Zhu.et al
Measuring Botnet Populations
Measuring Botnet Populations
Defending: Taxonomy of Botnet Threats
Defending: Taxonomy of Botnet Threats
Active Botnet Probing to Identify Obscure Command and
Active Botnet Probing to Identify Obscure Command and
Download
advertisement